ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nginx Hosting

v1.0.0

Zero-auth static game hosting via the server's local nginx instance. Primary deployment method for all browser games. No login, no token, no user action requ...

0· 183·0 current·0 all-time
by@rogerwu188
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description (generic 'Nginx Hosting') align with the instructions (copy static files to an nginx-served directory and reload nginx). However the SKILL.md is tightly bound to a specific host/domain (roger-us02.clawln.net) and specific paths (/data/games/, /etc/nginx/ conf path, /usr/sbin/nginx). The registry metadata did not declare those host-specific paths or binaries — that's an inconsistency.
!
Instruction Scope
Runtime instructions tell the agent to copy arbitrary build files into /data/games/{game-name} and run '/usr/sbin/nginx -s reload'. Those actions require filesystem write access to a system webroot and the ability to control a system service (likely root). The instructions do not limit or validate the files being deployed and offer no guidance about permissions, ownership, or safety checks — this broad scope increases risk.
Install Mechanism
This is an instruction-only skill with no install spec or code to write to disk. That minimizes install-time risk.
!
Credentials
The skill declares no required env vars/config but the instructions reference sensitive system paths (/etc/nginx/conf.d/roger-us02.clawln.net.conf), the nginx binary (/usr/sbin/nginx), and a writable webroot (/data/games/). Those should have been declared as required config paths/binaries. The lack of declared requirements hides the privileged/system-level effects of running the skill.
!
Persistence & Privilege
The skill does not request 'always:true', but its actions require elevated privileges (writing to /data and reloading nginx). The skill does not document required permissions or recommend running in a sandbox. Because it enables unauthenticated public hosting by copying arbitrary files, it has a meaningful privilege/impact footprint that isn't surfaced in metadata.
What to consider before installing
This skill's instructions will copy files into /data/games/ and reload the host nginx service — actions that typically require root and will publish any deployed content publicly at the hardcoded domain. Before installing or invoking it: (1) verify you actually control roger-us02.clawln.net and the referenced nginx config and SSL cert; (2) confirm the agent will run with appropriate privileges (or run commands manually as an admin); (3) ask the author to list required binaries and config paths (/usr/sbin/nginx, /data/games/, /etc/nginx/...), and to provide safeguards (input validation, ownership/permission steps, sandboxing); (4) audit any files you deploy for malicious content and consider serving from a constrained account or container rather than the host nginx process; (5) if you don't trust the source or cannot validate the host/domain/config, do not run the automated instructions — run the steps manually in a controlled environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dahy8rz0bnyhrc2e340r9es836wgr
183downloads
0stars
1versions
Updated 2h ago
v1.0.0
MIT-0
@rogerwu188
latest
Download

nginx-hosting

Primary deployment method for all games.

Serves static files directly from the host nginx at: https://roger-us02.clawln.net/games/{game-name}/

How It Works

nginx is already running on this host with a valid SSL cert for roger-us02.clawln.net. The /games/ location block is configured to serve files from /data/games/. Deploying a game = copying files + reloading nginx. No external service needed.

nginx config (already applied)

Location block in /etc/nginx/conf.d/roger-us02.clawln.net.conf:

location /games/ {
    alias /data/games/;
    index index.html;
    try_files $uri $uri/ $uri/index.html =404;
}

Deploy a game

# 1. Copy build files
mkdir -p /data/games/{game-name}
cp -r /path/to/build/* /data/games/{game-name}/

# 2. Reload nginx (no downtime)
/usr/sbin/nginx -s reload

# 3. Verify
curl -sk https://roger-us02.clawln.net/games/{game-name}/ | head -3

Update an existing game

Same as deploy — just overwrite the files and reload:

cp -r /path/to/new-build/* /data/games/{game-name}/
/usr/sbin/nginx -s reload

List deployed games

ls /data/games/

Base URL

https://roger-us02.clawln.net/games/

Each game lives at https://roger-us02.clawln.net/games/{game-name}/.

Constraints

  • Static files only (HTML, JS, CSS, images, audio)
  • No server-side logic or databases
  • All games share the same domain and SSL cert
  • nginx binary: /usr/sbin/nginx
  • Games root: /data/games/

Comments

Loading comments...